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Remarks 



Reconsideration of the subject application is requested in view of the following remarks. 
Claims 1-38 are in the application. 

Claims 1-23 and 27-38 stand rejected as allegedly anticipated by Bemhard et al., U.S. 
Patent 6,275,942 ("Bemhard"). This rejection is traversed. Claim 1 recites a method for 
implementing an intrusion detection system in a network. The method comprises receiving a 
request at a software agent program to initiate intrusion detection services on a remote computer 
and installing intrusion detection software on the remote computer via the software 
agent program. The intrusion detection software is executed on the remote computer via the 
software agent program. 

Bemhard does not teach or suggest such a method. According to Bemhard, intrusion 
detection systems produce a "hard coded" response to a detected intrusion. Col. 2, lines 8-15. 
To allow new responses to a detected intrusion, Bemhard teaches active response modules 
(ARMs) that can be created and installed as add-ons. Col. 3, lines 10-14. A plurality of ARMs 
is provided, and an appropriate ARM is invoked in response to a detected intrusion. Col. 2, lines 
50-58. In contrast to Bemhard, the pending claims are directed to intmsion detection, not to 
responses to intmsions such as provided by Bemhard' s ARMs. 

According to the Office action, Bernard discloses receiving a request at a software agent 
program to initiate intmsion detection services on a remote compute at col. 7, lines 44-50. This 
portion of Bemhard does not teach or suggest receiving such a request, but instead teaches 
building an executable file corresponding to an ARM using a conventional "make" utility. Col. 
7, lines 38-40. Installed intmsion detection system (IDS) software calls the ARM in response to 
detection of a particular intmsion. Col. 7, lines 48-50. The initiation of intmsion detection 
services in not mentioned in this portion of Bemhard. 

The Office action states that Bemhard teaches installing intrusion detection software on a 
remote computer via a software agent program at col. 7, lines 50-65. This is incorrect. This 
portion of Bemhard teaches testing a newly built ARM, and preparing install and iminstall 
scripts for the new ARM. Installation of intmsion detection software is not mentioned. 

The Office action also states that Bemhard teaches executing intmsion detection software 
on a remote computer via a software agent program at col. 7, lines 30-37 and col. 5, lines 8-28. 
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This is incorrect. The portion of Bemhard at col. 7, lines 30-37 relates to execution of code for a 
newly written ARM, and does not teach or suggest installation of intrusion detection software. 
The portion of Bernard at col. 5, lines 8-28 relates to computer networks in which intrusion 
detection software is provided at a central workstation, at one or more network elements, or 
between network elements. This portion of Bemhard does not teach or suggest remote 
installation of intrusion detection software via a software agent program. 

For at least these reasons, claim 1 and dependent claims 2-14 are properly allowable over 
Bemhard. 

Claim 15 recites a method for implementing an intmsion detection system on a computer 
connected to a network. The method includes receiving a request to become an intmsion 
detection platform firom a remote network location, and executing the intmsion detection 
soflAvare in response to the request. Bemhard does not teach or suggest such a method. 
According to the Office action, Bemhard at col. 7, lines 44-50 teaches receiving a request to 
become an intmsion detection platform from a remote network location. This is incorrect. This 
portion of Barnard teaches building an executable file corresponding to an ARM using a 
conventional "make" utility. Col. 7, lines 38-40. The Office action also states that Bemhard at 
col. 7, lines 30-37 and col. 5, lines 8-28 teaches executing the intmsion detection softvvare in 
response to the request. This is incorrect. These portions of Bemhard relates to execution of 
code for a newly written ARM and computer networks in which intmsion detection software is 
provided at a central workstation, at one or more network elements, or between network 
elements, respectively. Execution of intmsion detection software in response to a request to 
become an intmsion detection platform fi*om a remote location is not mentioned. For at least 
these reasons, claim 15 and dependent claims 16-22 are properly allowable over Bemhard. 

Claim 23 recites a system for detecting intmsions in a computer network. The system 
includes a plurality of computers executing software agents and an intmsion detection server. 
The intmsion detection server is configured to send a request to execute intmsion detection 
software to a software agent at at least one of the plurality of computers when intmsion detection 
services are needed based on information contained in a database. Bemhard does not teach or 
suggest such a network. Bemhard teaches computer networks in which intmsion detection 
software is provided at a central workstation, at one or more network elements, or between 
network elements. Col. 5, lines 8-28 and Fig. 1. Bemhard does not teach or suggest sending a 
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request to execute intrusion detection software, a software agent that receives such a request. 
For at least these reasons, claim 23 and dependent claims 24-29 are properly allowable over 
Bemhard. 

Claim 30 recites an article of manufacture that comprises a computer-readable medium 
having instructions adapted to be executed by a processor. The instructions define a series of 
steps to be used to perform network intrusion detection that includes receiving a request at a 
software agent program to initiate intrusion detection services on a remote computer, and 
installing intrusion detection software on the remote computer via the software agent program. 
The intrusion detection software is then executed on the remote computer. As noted above, 
Bemhard does not teach or suggest receiving, at a software agent, a request to initiate intrusion 
detection services on a remote computer as recited in claim 30. Therefore, claim 30 and 
dependent claims 31-38 are properly allowable over Bemhard. 

Claims 24-26 stand rejected as allegedly obvious from a combination of Bemhard and 
Gainsford et al., U.S. Patent 6,023,586. This rejection is traversed. Claims 24-26 are dependent 
from allowable clam 23 and are therefore properly allowable. 

In view of the preceding remarks, claims 1-38 are in condition for allowance and action 
to such end is requested. 

RECEIVED 
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